Re: "too many auth failures"?

To: "'mouse%Rodents-Montreal.ORG@localhost'" <mouse%Rodents-Montreal.ORG@localhost>, "'ietf-ssh%netbsd.org@localhost'" <ietf-ssh%netbsd.org@localhost>
Subject: Re: "too many auth failures"?
From: James Blaisdell <JBlaisdell%mocana.com@localhost>
Date: Wed, 27 Oct 2010 07:19:49 -0700

What if there is limit on number of simultaneous ssh sessions? Let's say system can only reasonably support a single ssh session. Shouldn't there be a limit to prevent dos attack. 

Also, public key authentication is not free from a cpu utlization perspective. On a 40MHz 68K processor, the signature  can take well over second to verify. 

----- Original Message -----
From: ietf-ssh-owner%NetBSD.org@localhost <ietf-ssh-owner%NetBSD.org@localhost>
To: ietf-ssh%netbsd.org@localhost <ietf-ssh%netbsd.org@localhost>
Sent: Wed Oct 27 07:15:12 2010
Subject: Re: "too many auth failures"?

>> My view is that servers should have two failure counters: one for
>> password and keyboard-interactive, another one for all others.
> Yeah, I'd thought about that too, but where do you stop?  Which
> counter type would a ZKP use?  Or EKE?  Or IBE?

The "all others".

Think about the point of those failure counters: they're designed to
slow down password-guessing attacks.  publickey, ZKP, etc, don't have
anything like password-guessing risks, so it's arguably inappropriate
to do failure counters for them.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Prev by Date: Re: "too many auth failures"?
Next by Date: Re: "too many auth failures"?
Previous by Thread: Re: "too many auth failures"?
Next by Thread: RSA PSS in SSH?
Indexes:

Home | Main Index | Thread Index | Old Index